Re: [PATCH] openvpn: Update to version 2.5.4

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 8620 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from 2.5.0 to 2.5.4
> - Update rootfile
> - Tested new version in vm testbed. Openvpn server successfully started.
>     Client connections working with 2.5.0 also successfully worked with 2.5.4
> - Changelog
>     Overview of changes in 2.5.4
>      Bugfixes
>       - fix prompting for password on windows console if stderr redirection
>         is in use - this breaks 2.5.x on Win11/ARM, and might also break
>         on Win11/adm64 when released.
>       - fix setting MAC address on TAP adapters (--lladdr) to use sitnl
>         (was overlooked, and still used "ifconfig" calls)
>       - various improvements for man page building (rst2man/rst2html etc)
>       - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
>         at least one platform strictly checking this)
>       - fix minor memory leak under certain conditions in add_route() and
>         add_route_ipv6()
>      User-visible Changes
>       - documentation improvements
>       - copyright updates where needed
>       - better error reporting when win32 console access fails
>      New features
>       - also build man page on Windows builds
>     Overview of changes in 2.5.3
>      Bugfixes
>       - CVE-2121-3606
>         see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>         OpenVPN windows builds could possibly load OpenSSL Config files from
>         world writeable locations, thus posing a security risk to OpenVPN.
>         As a fix, disable OpenSSL config loading completely on Windows.
>       - disable connect-retry backoff for p2p (--secret) instances
>         (Trac #1010, #1384)
>       - fix build with mbedtls w/o SSL renegotiation support
>       - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
>       - MSI installers: properly schedule reboot in the end of installation
>       - fix small memory leak in free_key_ctx for auth_token
>      User-visible Changes
>       - update copyright messages in files and --version output
>      New features
>       - add --auth-token-user option (for --auth-token deployments without
>         --auth-user-pass in client config)
>       - improve MSVC building for Windows
>       - official MSI installers will now contain arm64 drivers and binaries
>         (x86, amd64, arm64)
>     Overview of changes in 2.5.2
>      Bugfixes
>       - CVE-2020-15078
>         see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>         This bug allows - under very specific circumstances - to trick a
>         server using delayed authentication (plugin or management) into
>         returning a PUSH_REPLY before the AUTH_FAILED message, which can
>         possibly be used to gather information about a VPN setup.
>         In combination with "--auth-gen-token" or an user-specific token auth
>         solution it can be possible to get access to a VPN with an
>         otherwise-invalid account.
>       - restore pushed "ping" settings correctly on a SIGUSR1 restart
>       - avoid generating unecessary mbed debug messages - this is actually
>         a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
>         ED curves - mbedTLS crashes on preparing debug infos that we do not
>         actually need unless running with "--verb 8"
>       - do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
>       - fix Linux/SITNL default route lookup in case of multiple routing tables
>         with more than one default route present (always use "main table" for now)
>       - Fix CRL file handling in combination with chroot
>      User-visible Changes
>       - OpenVPN will now refuse to start if CRL file is not present at startup
>         time.  At "reload time" absense of the CRL file is still OK (and the
>         in memory copy is used) but at startup it is now considered an error.
>      New features
>       - printing of the TLS ciphers negotiated has been extended, especially
>         displaying TLS 1.3 and EC certificates more correctly.
>     Overview of changes in 2.5.1
>      New features
>       - "echo msg" support, to enable the server to pushed messages that are
>         then displayed by the client-side GUI.  See doc/gui-notes.txt and
>         doc/management-notes.txt.
>         Supported by the Windows GUI shipped in 2.5.1, not yet supported by
>         Tunnelblick and the Android GUI.
>      User-visible Changes
>       - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
>         to set the "openvpn packet filter", and returns a failure when requested
>         to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
>         structure members.  Since PF is going away in 2.6.0, this is just turning
>         the crash into a well-defined program abort, and no further effort has
>         been spent in rewriting the PF plugin error handling (see trac #1377).
>      Documentation
>       - rework sample-plugins/defer/simple.c - this is an extensive rewrite
>         of the plugin to bring code quality to acceptable standards and add
>         documentation on the various plugin API aspects.  Since it's just
>         example code, filed under "Documentation", not under "Bugfix".
>       - various man page improvements.
>       - clarify ``--block-ipv6`` intent and direction
>      Bugfixes
>       - fix installation of openvpn.8 manpage on systems without docutils.
>       - Windows: fix DNS search list setup for domains with "-" chars.
>       - Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
>       - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
>         DHCP, so this was just causing an - harmless - error and needless delay).
>       - Windows: Remove 1 second delay before running netsh - speeds up
>         interface init for wintun setups not using the interactive service.
>       - Windows: Fix too early argv freeing when registering DNS - this would
>         cause a client side crash on Windows if ``register-dns`` is used,
>         and the interactive service is not used.
>       - Android: Zero initialise msghdr prior to calling sendmesg.
>       - Fix line number reporting on config file errors after <inline> segments
>         (see Trac #1325).
>       - Fix port-share option with TLS-Crypt v2.
>       - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
>         dropping privs on the server would fail.
>       - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
>         client with tls-crypt-v2)
>       - rework handling of server-pushed ``--auth-token`` in combination with
>         ``--auth-nocache`` on reconnection / TLS renegotiation events.  This
>         used to "forget" to update new incoming token after a reconnection event
>         (leading to failure to reauth some time later) and now works in all
>         tested cases.
> 
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   config/rootfiles/common/openvpn | 5 +++++
>   lfs/openvpn                     | 4 ++--
>   2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 41ccc885e..6c3457d01 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -18,7 +18,12 @@ usr/sbin/openvpn
>   #usr/share/doc/openvpn/README.auth-pam
>   #usr/share/doc/openvpn/README.down-root
>   #usr/share/doc/openvpn/README.mbedtls
> +#usr/share/doc/openvpn/gui-notes.txt
>   #usr/share/doc/openvpn/management-notes.txt
> +#usr/share/doc/openvpn/openvpn-examples.5.html
> +#usr/share/doc/openvpn/openvpn.8.html
> +#usr/share/man/man5/openvpn-examples.5
> +#usr/share/man/man8/openvpn.8
>   var/ipfire/ovpn/ca
>   var/ipfire/ovpn/caconfig
>   var/ipfire/ovpn/ccd
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 81ccc52bf..82e819bfe 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -24,7 +24,7 @@
>   
>   include Config
>   
> -VER        = 2.5.0
> +VER        = 2.5.4
>   
>   THISAPP    = openvpn-$(VER)
>   DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = ba426e2217833b522810d6c06f7cc8f7
> +$(DL_FILE)_MD5 = 336be3b2388cdc65dd8c81f22b1c2836
>   
>   install : $(TARGET)
>   
>